Number of merge requests associated with milestones are visible from private projects (#31174) · Issues · GitLab.org / GitLab

Number of merge requests associated with milestones are visible from private projects

**[HackerOne report #675427](https://hackerone.com/reports/675427)** by `ashish_r_padelkar` on 2019-08-17, assigned to `estrike`: ### Summary Hello, I reported this before here at #529951 in a comment but looks like it was missed from your side to fix it and i also forgot to test it again as it was a comment. The main issue reported was fixed but not this one. So basically, When merge requests are associated with Milestones, the counts with their statuses are visible publicly when 1. Private project is inside the public group -when project merge requests are associated with public group milestones. 2. Merge requests are set as `Only Project Members` in public projects when associated with milestones. ### Steps to reproduce 1. Create a public project with Repository set as `Only Project Members` 2. Create a merge request inside it and associate it with a milestone for eg `Milestone1` 3. Login as different user. This user wont see the merge requests as user is not a member. 4. But he can see the milestone as issues are visible. So user can go to milestone page `/thisispublicproject/-/milestones/<ID of Milestone1>` and can see the number of merge requests associated with this milestone in right side bar ![Screenshot_2019-08-17_at_12.16.38.png](https://h1.sec.gitlab.net/a/7962cfc6-f2eb-46f6-b7d7-dc426e0e8fa3/Screenshot_2019-08-17_at_12.16.38.png) Same thing happens when public group contains private project and the merge requests are associated with group milestones! ### What is the current *bug* behavior? Able to see number of merge requests along with their status when associated with milestones. ### What is the expected *correct* behavior? Merge requests information should not be visible publicly when they are not allowed to. ### Output of checks This bug happens on GitLab.com and must be on omnibus installations too! Regards, Ashish ## Impact When merge requests are associated with Milestones, the counts with their statuses are visible publicly when 1. Private project is inside the public group -when project merge requests are associated with public `group milestones`. 2. Merge requests are set as `Only Project Members` in public projects when associated with milestones. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2019-08-17_at_12.16.38.png](https://h1.sec.gitlab.net/a/7962cfc6-f2eb-46f6-b7d7-dc426e0e8fa3/Screenshot_2019-08-17_at_12.16.38.png)

issue